Improving Onion Notation Richard Clayton - PowerPoint PPT Presentation

Improving Onion Notation Richard Clayton ���������������������� ����������� �� �����������

Why does notation matter? In signs one observes an advantage in discovery which is greatest when they express the exact nature of a thing briefly and, as it were, picture it; then indeed the labour of thought is wonderfully diminished. Leibniz, 1646–1716

Summary • Current onion notation • What’s important about a notation? • A new notation • Using the new notation • Discussion • Lunch!

Sending message T to Alice R 2 M1 R 1 A R 0 T K A K M1 K M2 M2 M1 A

Sending message T to Alice R 2 M1 R 1 A R 0 T K A K M1 K M2 M2 M1 A

Onion notation • MIXs invented by David Chaum, 1981 • K i (x) means “seal” x with key K i • Hence an “onion” [Goldschlag et al 1996] for text T destined for node A (owner of key K a ) sent via MIX M 1 (owner of key K 1 ) is, with the addition of nonces R 1 and R 0 : K 1 (R 1 ,K a (R 0 ,T),A)

Onion notation II • Ohkubo & Abe, 2000 • use Ki (x) to mean “encrypt” x with key K i • Hence an “onion” for text T destined for node A (owner of key K a ) sent via MIX M 1 (owner of key K 1 ) is, with the addition of nonces R 1 and R 0 : K1 (R 1 , Ka (R 0 ,T),A)

Onion notation III • Serjantov, 2003, following BAN tradition • {x} Ki means “encrypt” x with key K i • Hence an “onion” for text T destined for node A (owner of key K a ) sent via MIX M 1 (owner of key K 1 ) is, with the addition of nonces R 1 and R 0 : {R 1 ,{R 0 ,T} Ka ,A} K1

Assessing notations A) Make it fit on one line Frege, 1879 Begriffsschrift The start of the age of symbolic logic. His contemporaries failed to cope!

Assessing notations B) Make it easy to write eg: “ Ki (x)” has custom subscript, font size and line spacing C) Make it easy to read can you read sub script from the back ?

Assessing notations D) Will it allow errors to be detected ? E) Will it allow simple generalisation F) Will it be easy to comprehend so what of this example? so what of this example? K n (R n …(R 2 ,K 1 (R 1 ,K a (R 0 ,T),A),M 1 )…M n ) K n (R n …(R 2 ,K 1 (R 1 ,K a (R 0 ,T),A),M 1 )…M n-1 )

There must be a better way! | R 0 ,T # K a |R 1 ,*,A # K 1 | is the start of a section of the onion #K means encrypt this section with key K * is the result of the previous encryption

There’s no nesting to unpick! • Three MIXs: | R 0 ,T # K a |R 1 ,*,A # K 1 |R 2 ,*,M 1 # K 2 • n MIXs: | R 0 ,T # K a |R 1 ,*,A # K 1 |…|R n ,*,M n-1 # K n-1

Pfitzmann & Waidner 1986 • Avoid end-to-end retransmission on failures X a K a (T) X n K n (k n , A), k n (X a ) X i K i (k i ,M i+1 ,k i+1 ,M i+2 ),k i (X i+1 ) ie: besides normal information, each MIX is told about next but one MIX and can route around a failure. The sender also encrypts with k i values and tells appropriate MIXs their values.

In the new notation X a |T # K a X n |k n , A # K n |X a # k n |* 0 * 1 X i |k i , M i+1 ,k i+1 ,M i+2 # K n |X i+1 # k i |* 0 * 1 where * 0 is the result of encrypting the previous section and * 1 the result of encrypting the section before that

Avoiding the induction |T # k a |k n ,A # K n |* 0 * 1 # k n-1 |k n-1 ,M n ,k n ,A # K n-1 |* 0 * 1 # k n-2 |k n-2 ,M n-1 ,k n-1 ,M n # K n-2 |* 0 * 1 # k n-3 |k n-3 ,M n-2 ,k n-2 , M n-1 # K n-3 | * 0 * 1 # k n-4 … and can now reason about security properties

Questions for a discussion • Is it worthwhile making the notation resemble the implementation, or should it resemble Encryption(functions) ? • Do we actually have trouble reading nested brackets? or lots of sub scripts ? or … ellipses? • If this notation isn’t useful, should we start to ruthlessly stamp out the new-fangled notations that are appearing ?

Why does notation matter? In signs one observes an advantage in discovery which is greatest when they express the exact nature of a thing briefly and, as it were, picture it; then indeed the labour of thought is wonderfully diminished. Leibniz, 1646–1716

Discussion | R 0 ,T # K a |R 1 ,*,A # K 1 |…|R n ,*,M n-1 # K n-1 | is the start of a section of the onion # K means encrypt this section with key K * is the result of the previous encryption

More ideas • Brackets: | K a (R 0 ,T) | K 1 (R 1 ,*,A) | K 2 (R 2 ,*,A) • Arrows: | R 0 ,T>K a |R 1 ,*,A>K 1 |…|R n ,*,M n-1 >K n-1 or | R 0 �� K a |R 1 ���� � 1 |…|R n ,*,M n-1 K n-1

And a functional notation (Grothoff) F(a, b)(x) := E ka (R a , x, b) (f(A,B) o f(B,C) o f(C,C)) (T)

Power notation (Serjantov) cf: � or ���� (Euler’s notation) n � R i , *, M i i=0 • where A is M 0 and the “initial” * is empty

More discussion ? • At lunch ? • Or later in the workshop ! richard.clayton@cl.cam.ac.uk http://www.cl.cam.ac.uk/~rnc1/